A common problem that occurs in a Local Area Network (LAN) or other Internet Protocol (IP) network is when one network device connected to the network adversely affects the entire network performance. The behavior of that offending network device often impacts normal network performance. For a network administrator to address the problem, it is often necessary for the administrator to determine where the offending network device is physically located in a building and to determine the connection status of the offending network device to network switches or similar network devices. This information needs to be determined quickly, so action can be taken to restore the network to normal performance.
Each network device includes a universally unique identifier, known as the device's Media Access Control (MAC) address. In a network having a number of network switches, such as layer-2 Ethernet switches, each network switch maintains a table of MAC addresses and the physical port on which that MAC address was learned. For example, a faulty network device could have a bad MAC card and transmit packets in an out-of-control manner. In another example, a server could use an IP address of x.x.x.x with its MAC information and address. A computer as a network device could previously have had that IP address of x.x.x.x. The user of that computer may not have used that computer for six months. When the user boots six months later, that user maintains the static IP address of x.x.x.x for their computer, which advertises itself to the network and other users as that IP address. In operation, other users (including the user of the now-offending computer) may be trying to access the server that has the IP address of x.x.x.x. Because traffic is redirected from that correct server to the offending computer, the network does not operate properly. Again, the offending computer with the wrong IP address needs to be located quickly and efficiently. An even worse scenario is when a user of an offending device must be located because of malicious behavior. It may be even more critical in such a scenario to locate the offending device quickly and efficiently.
One known solution to the problem of locating an offending network device based on its MAC address is for a technician or other administrator to log-in manually into each network switch and determine if the faulty or otherwise offending network device is directly connected to that network switch. If the administrator determines that the offending network device is connected to a certain switch port, the administrator may take action that may include shutting down the port, isolating the offending network device on a separate virtual LAN (VLAN), rate limiting the offending network device, blocking all traffic having the device's MAC address, etc. This manual log-in technique is a lengthy, cumbersome process, especially in larger networks where there are many network switches to search. Also, a detailed knowledge of the network architecture is required, thus requiring the administrator searching for the offending network device to determine if the device is directly connected to the network switch or if the MAC address was learned on a switch port that is tied to another network switch. For example, the offending network device could be located multiple hops away.
Another solution to the problem of locating an offending network device is described in U.S. Pat. No. 8,380,828, entitled “System and Method for Locating Offending Network Device and Maintaining Network Integrity.” This solution involves employing the Link Layer Discovery Protocol (LLDP) to propagate a discovery protocol frame through the network. The discovery protocol frame contains organizationally specific Type-Length-Value (TLV) information that identifies the MAC address of the offending network device and other information that may assist a switch in participating in and responding to the search. Each switch consults its table of learned MAC addresses to determine whether the MAC address of the offending network device is associated with one of its ports. If the switch determines that the MAC address is associated with one of its ports, the switch provides a response.
The foregoing method of propagating a discovery protocol frame through the network using LLDP does not provide a complete solution to the problem unless every switch in the network is capable of determining whether the MAC address of the offending network device is associated with one of its ports and responding accordingly. A switch must be configured with corresponding software in order to participate in this method. Thus, the method is impeded in a network in which one or more switches are not configured with the requisite software. For example, a network may include switches associated with one switch manufacturer that the manufacturer has configured to participate in the method (e.g., configured with software), as well as switches associated with other manufacturers that have not been so configured. The discovery protocol frame cannot traverse a switch that is not so configured. Thus, a non-configured switch interposed in the network between configured switches presents an obstacle to configured switches downstream from the non-configured switch determining whether the MAC address of the offending network device is associated with any of their ports. It would be desirable to provide an improved method and system in which non-configured switches present less of an obstacle.